![]() You can also see the module (executable or dll on disk) used by that thread:Īnd, if you really want to know what’s the thread doing (and you have the necessary symbols loaded) you can open the stack (list of functions executed within that thread): More information on threads can be found in the “Windows Internals” and the “Troubleshooting with the Windows Sysinternal Tools” books. They are created and destroyed regularly and return the information from the execution back to the main thread (the persistent one). Note: Threads are the “sub-processes” of the process, each dedicated to the execution of a specific action. The Strings (Printable strings found in the process image/executable or memory):Īnd the list of threads for that process: One that shows the environmental variables used by the process: There is also a tab that shows the current Network Connections: If you’re troubleshooting performance issues, the Performance To see detailed information about a specific process double-click it (or right-click -> properties) and the following window will appear: Take the time to familiarize yourself with the different options, it will pay off in spades afterwards! You can also create a dump of a process for later analysis with tools like WinDBG: These allow you to configure Process Explorer to Run at Logon, Send the executable hashes to VirusTotal for verification (if you’re suspecting malware infection on the machine), Replacing Task Manager with Process Explorer (though I’ve had less than stellar success with that option on particularly problematic machines) and configure Symbols, which we’re going to look at further down in the article. On the top of the bar there is a menu with many different options, but the really interesting ones are these: You can get additional information about the process by putting the mouse cursor on top of it, and it even shows the services running within a svchost.exe instance: All of these columns are fully customizable to fit your needs: NET processes, “Immersive” processes, suspended processes, processes running as the same user as Process Explorer, processes that are part of a job, and packed images. Additionally, you can see the path to the executable and color coding that identifies the process type and state, such as services. More on that later) and much more.Īs you can see Process Explorer presents columns detailing running processes on your system, including the parent/child relationships, CPU usage, memory data, PID, description, company name, certificate signature, and verification status. ![]() It shows detailed information about all the running processes on the system, including resource utilisation (GPU, CPU, Memory, ecc…), Path, Signature, Threads and Stacks (though for a clear view of the stacks Symbols have to be configured and WinDBG installed. Process Explorer is, as Mark Russinovich calls it, “Task Manager on Steroids”. Let’s start with a short instruction about these tools. In this blog post we’ll focus on Process Monitor and Process Explorer while Autoruns and Procdump will be covered in the next one. The Sysinternals suite of tools is a collection of over 70 utilities that can be used to troubleshoot and diagnose a wide range of issues on a Windows system. Now that we’ve gotten the Russinovich mantra out of the way, let’s delve in! If it’s worth the time to use one of these tools then it’s probably worth the time to use both, and you will commonly find yourself doing this.And here we are on the 2nd post: Introduction to Process Explorer and Process Monitor.īefore we start, repeat after me “When in doubt, run Procmon!” In daily use I often start with Process Explorer to find processes which are consuming a lot of system resources and then move to process monitor to dig deeper into these processes. Using it you can find out what files, DLLs, and registry keys particular processes have open and the CPU and memory usage of each. Process Explorer is considered to be a more advanced form of the Windows Task Manager. You can think of this as a combination of the old FileMon and RegMon tools with some basic diagnostic features. This tool will display information regarding the file system, registry, and the processes running on the system as they are occurring. Process Monitor is a real-time troubleshooting tool. I’ve written tips on both of these and frequently see people confuse them or even ask about the differences between the two. Process Monitor and Process Explorer both have a lot in common as they are both Microsoft Sysinternals tools designed to help you troubleshoot and debug processes on a Windows host. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |